agent-release-manager

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill runs npx commands (e.g., "npx ruv-swarm hook ..." which will fetch/execute the ruv-swarm package from the npm registry, effectively https://registry.npmjs.org/ruv-swarm) and performs runtime git/gh operations (e.g., "gh repo clone :owner/:repo" -> https://github.com/:owner/:repo.git) that fetch remote code which is executed as part of the hooks/pipeline, so these external fetches directly execute remote code and are required for the skill to run.